CVE-2020-14061

Published Jun 14, 2020

Last updated a year ago

CVSS high 8.1

Overview

Description: FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
Source: cve@mitre.org
NVD status: Modified

Risk scores

CVSS 3.1

Type: Primary
Base score: 8.1
Impact score: 5.9
Exploitability score: 2.2
Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 6.8
Impact score: 6.4
Exploitability score: 8.6
Vector string: AV:N/AC:M/Au:N/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: CWE-502

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4B92AF50-0155-471E-B5C4-1CFD95F4B7D0",
            "versionEndExcluding": "2.9.10.5",
            "versionStartIncluding": "2.9.0"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:linux:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9FBC1BD0-FF12-4691-8751-5F245D991989",
            "versionStartIncluding": "7.3"
          },
          {
            "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:windows:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BD075607-09B7-493E-8611-66D041FFDA62",
            "versionStartIncluding": "7.3"
          },
          {
            "criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vmware_vsphere:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0CB28AF5-5AF0-4475-A7B6-12E1795FFDCB",
            "versionStartIncluding": "9.5"
          },
          {
            "criteria": "cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E94F7F59-1785-493F-91A7-5F5EA5E87E4D"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C650FEDB-E903-4C2D-AD40-282AB5F2E3C2"
          },
          {
            "criteria": "cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "97994257-C9A4-4491-B362-E8B25B7187AB"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BBE7BF09-B89C-4590-821E-6C0587E096B5"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_digital_experience:18.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "ADAE8A71-0BCD-42D5-B38C-9B2A27CC1E6B"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E7231D2D-4092-44F3-B60A-D7C9ED78AFDF"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F7BDFC10-45A0-46D8-AB92-4A5E2C1C76ED"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "18127694-109C-4E7E-AE79-0BA351849291"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "33F68878-BC19-4DB8-8A72-BD9FE3D0ACEC"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_calendar_server:8.0.0.4.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "46059231-E7F6-4402-8119-1C7FE4ABEA96"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_contacts_server:8.0.0.5.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D01A0BBC-DA0E-4AFE-83BF-4F3BA01653EC"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "526E2FE5-263F-416F-8628-6CD40B865780",
            "versionEndIncluding": "8.2.2",
            "versionStartIncluding": "8.0.0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B51F78F4-8D7E-48C2-86D1-D53A6EB348A7",
            "versionEndIncluding": "8.2.2",
            "versionStartIncluding": "8.2.0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "987811D5-DA5E-493D-8709-F9231A84E5F9"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0DB23B9A-571E-4B77-B432-23F3DC9B67D1"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "3E5416A1-EE58-415D-9645-B6A875EBAED2",
            "versionEndIncluding": "8.2.2",
            "versionStartIncluding": "8.2.0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "11B0C37E-D7C7-45F2-A8D8-5A3B1B191430",
            "versionEndIncluding": "8.2.2",
            "versionStartIncluding": "8.2.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Social media

Configurations

References